If you using Safari 16, and you set up passkey on your iPhone/iOS 16, you could ask the browser to allow you to sign in using passkey stored in the iPhone.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Google Chrome Gains Support for Passkeys, Making it Easier to Log Into Websites and More
- Thread starter MacRumors
- Start date
- Sort by reaction score
Alas, many people won't get past the fact that it's a subscription.
And what happens if you want to login to that web service on windows? That means you have to sync the windows pc Bluetooth to your Mac or what?
Well, you wouldn't be using Safari to begin with
But either you use iCloud on Windows together with the plugin for chromium browsers, and you sync that way. Or you use something like 1Password and have it on those two and full cross-platform availability.
I understand but isn't my password stored hashed? meaning even if someone gets their hands on it they still can't do anything with it? just like they can't do anything with my public key?
Hashing is most definitely more secure then unhashed. However, as a very simple example, say you've been pawned and your commonly reused password is part of a breach. Now that password is tried on other websites, yup really most people do reuse their password, the fact that it is hashed doesn't matter as the password comparison against the hash will be valid.
And I'm not even talking about mistakes, simple commonly used passwords, unsecure hashing algorithms, people making a minor password change, not having 2FA or MFA enabled.
And whilst hashed password are significantly better than unhashed or encrypted, it doesn't change the fact that to do the comparison, you have to share your password and it is open to the human factor of reusing passwords on multiple sites.
And there is a fundamental difference compared to Public Key Encryption approaches. Furthermore, intentional, a number of those vulnerability and attack vectors as outlined above are simply not present when using the Passkey methods. Not even a fake site trying to trick you will work, nor reuse of credentials.
This is why I don't like passkeys. I just prefer a computer-generated password that I keep in my iCloud keychain.Well, you wouldn't be using Safari to begin with
Ok, I'm not sure I get the logic as to why you don't like passkeys for that reason. Is it because you don't trust a computer to store it correctly, verify the URL is actually the URL used to create that password and ask for the public key to be shared with you so your computer can check it is still valid, opposed to looking up your secret and then typing or pasting it into some website and sharing your actual secret with others where you have to manually verify that they are who they pretend to be...
I don't get the logic as to why you wouldn't like a passkey...
Yes I want to be able to manually lookup, or just remember the password. I feel more in control. What happens if you lose your phone? What happens if you run out of data?
Far out edge cases, if you run out of data, you can't access the service anyway. Come on, let's not be silly about this.
I get the feeling about more in control, really do, but I wouldn't compromise security for a misplaced feeling where systems can do much better than me.
How would I get pawned if my password is hashed?
The issue you raise does not apply to me since I use a different password for each site and store using a password manager but I can see how its a better experience for someone to open windows or macos and the experience is much more seamless.
What I do not understand is how do I prove that I am the actual user?
Lets say I am JohnDoe@Gmail.com . I am using a computer at school. Now how do I prove to gmail that I am the actual user? With passwords , I type in the password. With passkeys, what do I do?
If I need to type in a password to login into my iCloud to sync Keychain then right there is the weak link. I am using passwords again, now just one password unlocks all accounts. If I need to use 2FA like my iphone, then if I lose my phone or my sim card is not working, or battery is dead, or I have not paid the bill...thats it I am all locked out.
Then we have the issue that passkeys are not crossplatform. Any device that can access the web (like playstation) , will need to have an iCloud , Bitwarden, 1password client to sync the passkeys (which they do not) . With passwords all i have to do is just type in the password. Its much more versatile.
If you are a good citizen and use unique passwords for each site, then yes, you are right. The risk is very low to you. Don't forget it isn't all about you, the vast majority of people don't and don't use a password manager.
You don't, not even with passwords. All you do is prove that you know the password or have the private key. You don't prove you are the actual user.
Didn't you earlier say you use a password manager? How do you unlock that one?
You could be but don't have to. It would be silly if you rely on a single device and haven't safe guarded the key that allows you back in. But yes not unheard off, remember you need to manage your keys.
That entirely depends on the device. So say you are on a terrible browser like a TV or gameconsole, and you are on a passkey website. How is using your phone or another device linked as a provider of passkeys not infinitely more convenient than having to type in a password? Besides, I don't get your argument, you said earlier that you use a password manager, and now you are arguing that it isn't available. Which is it?
yes i mentioned it might work better for average people
Usually i can remember the password, but how can I remember the passkey?
With a password but I am not against passwords. I am confused that they say passkeys are going to replace passwords yet now I need a password to unlock my passkeys. So it did not, did it?
Yes it would be easier to snap a picture of an QR code but will that device have the ability to sync the passkeys from my iphone to it?
--
My argument is that yes I do use a password manager but I can also remember my passwords and type them. With passkeys I can not remember my passkeys or type them. Also passwords are cross platform. I can type them anywhere. Passkeys are not, at least not without some sort of a syncing method.
Even on some websites like banks, sometimes you get a panel with a keyboard where you have to type in a pin code or a password via a digital keyboard using a mouse. I do not know why they do this but shows you how versatile a password is.
-----------
One thing I would love if passkeys can do it is, if I do not have to relogin or get timed out of the account. This is extremely frustrating for me. If it can identify me on the fly that would be much easier, but then again, sometimes you want to use websites without being logged in like in private tabs mode.
It works SAFER for everyone, because the site no longer has all the login information. There are three pieces of information needed, your login info, you public key, and your private key. Your private key should NEVER leave your possession (either your computer or a secured storage like iCloud or a password manager)
You don't, it is saved a secure container. You can't lose what you don't have access to. (You couldn't memorize it anyway, it is way too long.)
One password to remember. No different than using a password manager now. You use your password manager password to unlock the password manager, which fills in your password automatically. (Or you copy/paste or even type your password from your password manger.)
Not sure what you mean her. The QR code is just an option if you don't have access to your passkeys on the device you are using. (e.g. a public computer.) Since you don't have physical access to your secret key (again, can't lose what you don't have direct access to), you need an alternative. (The other alternative is to not allow access from a computer that doesn't have a copy of your private key. That is more secure, but there is a trade-off around usability. (And would probably encourage users to NOT use passkeys, which is against the goal Apple, Google, and others have.)
Your right, passwords are more "portable". If that is your major concern, then maybe you don't want to use passkeys. But, you are trading security for convenience.
That is a function of the website, not the authentication method. But, good security requires regular authentication. A forum like MacRumors, I set the "Remember Me" option and let a cookie save my login information. (A better forum would expire the cookies after a certain period of time, one month, one year, etc) But, I would NEVER want my Bank to keep me logged in.
I do not have access to my keys? how do I manage them? who has access to them? who can unlock them?
When I mentioned the playstation example you said the playstation will authenticate by "syncing" using my trusted device like an iphone, which is better than typing in my password. My question is what if that device (playstation) does not have the built in capability to sync with my iphone for passkeys?
Why is expiring sessions more secure? lets assume the cookie login information is in an "encrypted" file like passkeys are stored in your computer. How is it more secure to keep logging me out (unless I am using a public computer)?
----
Would you happen to know if typing your password to unlock your password manager on a website , or extension, can be intercepted? You know those stars that obfuscate the characters? because if it can then that is a whole new level of danger for password managers. I recall an old trick where scammers would redirect you to a site that resembles a popular one and let you enter your credentials and steal them. ex hotmail -> hotnail
Ok, sorry if I was oversimplifying for the sake of the discussion. Of course you have "access" to your passkeys. And, there may be a way to open them and read the data. But, it is not something you would need to do. Here let me give you an example. This is HALF of by PUBLIC key:
Code:
AAAAB3NzaC1yc2EAAAADAQABAAACAQDHMGeEoOSIScpD4aR8eNvUTtcbT8uSUV4TUcO/AfYB5hfMT12vjI don't think you want to type that. (To be crystal clear, that is my PUBLIC key, not my PRIVATE key. They are similar in construction. ) Your private key will be very similar.
I don't remember talking about a Playstation, sure that wasn't someone else? Either way, your right, there are two possibilities. One, there is a way to transfer your private keys between devices. While that is very likely among similar devices (Apple via iCloud Keychain to other Apple devices, Chrome to any other Chrome browser you are logged in to, etc.) Since I doubt Apple will ever bring a way to use your iCloud keychain to a Playstation, you will need to use an alternate method. Or, you continue to use a password on sites that you have a need to visit on your Playstation and save passkeys for sites that you only visit on your computer/iPhone/iPad.
AFAIK every major browser stores their cookies in plain text. In fact, open the Developer Tools on your browser of choice and you can see the cookies that are being shared with each website. Cookies do NOT store passwords. (TBH, I am not knowledgeable enough to know EXACTLY what data MacRumors stores in your browser cookies to retain your login setting, but i know it is not a password)
Sure. If a website processes your login on the server side, then it sends your password to the server where the server compares the supplied password with the (hopefully hashed and salted) password. Other websites may use javascript in the webpage to hash your password and then send the hashed password to the server for validation. That is more secure.
Since you mention password managers, using a javascript application is how 1Password works. When visiting your vault website (or even using the browser extension), your password and secret key never leave your computer. Instead, your decryption key is computed locally in the browser/extension. Your password NEVER leaves your computer. NEVER!
Is there a chance that an organization could be harvesting passwords secretly? I guess it is possible, but that is why I use a company that I trust.
(The stars are ONLY to prevent someone from looking over your shoulder and seeing your password, it has nothing to do with what is transmitted to the server.)
And yes, phishing websites have always been a problem and will continue as long as users
- Use a separate password for EVERY site.
- NEVER click on a link in an email unless you are 100% sure of the source. Either copy/paste the link and inspect it or, better yet, manually type in the website home page. (so you go to bankofamerica.com instead of bank0famerica.com)
- Use a secure form of MFA (SMS is ok, TOTPs are better, security keys are even better!)
There are many ways a password can be intercepted on an HTTPS site. One, there have been many weaknesses in HTTPS itself, see POODLE from a few years ago as an example. Two, by compromising devices, keyloggers are the simplest way, or by compromising the device on the other end. (See: every major openssl vulnerability in the last ten years.)
The "only as strong as your weakest link" argument misunderstands how security breaches tend to work fundamentally. I'll take just Apple having a password, and with strong MFA (they just announced FIDO support) as opposed to me being dependent on every single password with every single separate account being stored properly. That's really the difference here: with passwords, you are relying on every single provider to be securing you properly, with passkeys, you are not.
As to the storing a hashed password, even in the best case scenario, where the site is using a strong hashing algorithm with good salts, brute forcing those password tables should they leak is *way* easier than (essentially impossible) deriving the public key from a passkey. Sites would have to demand 1000 character, totally random passwords to even come close.
Most breaches happen because one site you have an account with gets compromised, and then malicious actors can go try that password and email combo with 1000 other sites. While password managers work pretty well for the kind of users posting to Mac Rumors, this is still a huge problem. Passkeys are the best hope we have of fundamentally solving this problem.
You are saying passkeys rely on official standard meanwhile passwords implementation is up to the host to secure it? you have a point but I guess there is no reason not to make a similar standard for passwords like passkeys has.
We go back to my original problem, If I loose my passkey (which is stored somewhere in my computer) how can I re-access my accounts? With passwords I can remember it in my head, write it down in a notebook, get a password "hint" from some services.
It might be "easier" but its secure enough ain't it? Bitwarden password strength check says a passphrase of 22 character will take centuries to crack by a computer. So is there a new for a 1000 passkey?
I'm getting that you really like passwords, but both of those first issues are kind of silly. Passkeys *are* the standard that experts have come up with rather than a standard for every provider to implement. Certainly you see how it's better to use good security rather than to rely on every singe password provider to be doing the right thing? That's the actually sound "weakest link" argument at play here, and Passkys solve it.
Two, again, no passkey implementation involves you just keeping it on your computer. I mean yes, if you really want to do that you can, but yes, if you simply insist on knee capping the new technology to make it like the old tech, it will be weaker.
You have hit on a point that I think I said earlier in this thread: passkey's possibly biggest hurdle to adoption is they rely on cryptography that is nearly magical to work. A large swath of users who don't understand how it's stronger will avoid adopting it.
And again, yes, if everyone uses Bitwarden long passwords are pretty doable. But in the same post you said you wanted passwords you can remember. Passkeys are the most viable option for not very technical users to get better than either option for very little effort.
I like passwords because I can log in to anywhere and unlock anything myself. I do not have to rely on a phone number, a working device, or anything else. I am tied to nothing. I can travel to Japan, buy a phone, and log in to my Outlook account. I do not have to worry about corrupted saves or failed SSDs/HDDs or dead battery on my phone or my stolen phone.
So you are telling me that passkeys is a standard that has to meet certain requirements globally like Wifi and USB? So if a website is implementing passkeys then I am guaranteed security and nothing funny is happening in the background?
Can my passkey get leaked like my password?
Do I use a password to unlock my password manager(Bitwarden) or a passkey?
Of course, no one will use something they do not understand especially when it comes to security. Ex. Do you expect people to give you their money when you tell them "There is a new storage system in a school gym I can keep it there for you. Trust me, its safe no one is going to steal your money"
I can remember passphrases which can go up to 30+ characters. I can't remember random string(dnIi230fls:'idOnc)
I agree to some sort but now people lose their instagram account because it has a weak password. If they lock they password manager with a weak password, they will lose everything because someone else will access all their passkeys assuming a cloud service like 1password. That is unless 2FA with a cellphone number is mandatory.
So you remember EVERY password you have created? I find that very hard to believe.
Nothing is guaranteed. If you happen to visit a site that is less than honest, it is possible that something nefarious is going on. Plus, standardization is to ensure interoperability, not just security. Imaging if Apple introduce one version of passkeys on its website and Microsoft another?
But, passkeys protect your security by making the most common issues with passwords (weak passwords, repeated passwords, insecure password storage) invalid.
Weak Passwords? A passkey is two 256Bit keys that are related but independent (you can't derive one from the other.)
Repeated Passwords? A new passkey is derived for every website. If a website is hacked and your public passkey is stolen from that site, it does NOTHING for any other site.
Insecure Password storage? Doesn't matter, see above. Plus, the website only has HALF the passkey. Your half (the private key) is stored on your computer. If a hacker were to get a dump of the passkey file of a web site, they still would not be able to do anything with it
Yes! But, as I have explained multiple times to you, there are TWO parts to your passkey, one stored at the website, one stored on your computer (or in your password/passkey manager). The most important key is the one stored on your computer. That is the one that needs to be protected. The website part is useless without your private key.
You will continue to use a password, or TouchID/FaceID.
You don't have to understand the details to understand it is safer. Do you under how your chosen password manager encrypts your passwords? Probably only at a superficial level.
I, and others, have explained multiple times how passkeys work and why they are inherently more secure than passwords. And if that isn't enough, here is Apple's documentation on Passkeys:
About the security of passkeys - Apple Support
How many passphrases can you remember? 5, 50, 500? And was it horse-battery-staple-trombone or horse-staple-battery-trombone? Most people can only memorize a handful of passphrases. I know maybe 5 by heart? My home computer password, my work password (which is my work computer password), my 1password password, and one or two other work passwords that I have to type repeatedly. I probably have 500 passwords stored in 1password. I don't use 99% of those nearly enough to have memorized them.
There is no doubt that passphrases are better than most typical passwords, but they still rely on the fact that both sides of the transaction must have some knowledge of the original password, which exposes TWO vectors for theft.
So, your proposal is to continue to use a less secure method? Sounds like cutting off your nose to spite your face.
The weakest link of any security solution is always going to be the end user. The is encourage users to use some basic security hygiene like strong passwords on their password manager and not having the same password on multiple sites. And don't use SMS for MFA if stronger methods are available.
And, I want to correct something. I use 1Password with a cloud service. My choice. With the recent LassPass hack, I was shocked to find out that LastPass only used a Master Password to encrypt its data. One of the reasons I use 1Password is that it uses TWO different secrets to encrypt the data. The decryption key is derived from a combination of my master password and the secret key, which is generated at vault creation. If 1Password ever experienced a breach, which resulted in someone getting the vaults, the hacker could NOT run a simple dictionary attack to decrypt the vault. They would need to know the secret key and how 1Password combines the master password and secret key to generate the encryption key.
You can still do those things. You seem to be ignoring how they actually work and just asking the same questions again and again. You can sync them to a cloud provider and unlock them with a password/phrase from there.
And again, as has been explained to you, the reason they are superior is because *math* guarantees the provider doesn't have information that is useful if it leaks. It is a standard like TLS is a standard more than like Wifi is a standard.
I don't know man, I don't think anyone is going to try to explain to you more. I get that you want passwords to stick around, but thankfully, most people in the know don't agree.
I remember key ones that I need to unlock my other accounts like email for 2fa and password manager.
This is the point I wanted to get to. They said passkeys will replace passwords and its simply not true. You will still need to use passwords at some point.
You correct but I know its till stores a password that I can see, then type in my online accounts. with passkeys its storing something I do not understand that "magically" unlocks your online account. A simpler explaination would be:
Passkeys are a long string password made in two parts. One stored on your device and one stored on the website. Its like a key split in half, when they join together its like you have a full key to unlock your account. This is simpler for the average joe to understand.
https://support.apple.com/en-us/HT213305
Will there still be a need for 2FA with passkeys?
I agree that for average people passkeys will be safer for them, but using the current password system with longer passphrases+password manager I do not see any major hacks going on.
There is something I do not understand though. With cloud stored password managers, I need to unlock it with a password, so if I get a new computer download 1password unlock it with my password to sync my passkeys , where is this 2key verification thing going on? I am talking about the secret key generated at vault creation.
I get what you are saying, but I assure you if I am confused then most people won't pick up on this technology because they will even be more confused.
A major point of confusion that is happening is passkey advocates claiming that passkeys are going to replace passwords. Then when someone asks how do I unlock my password manager, they say you still need to use a password.
I hope you understand the confusing part for us.
Last edited:
The confusing part is only there because you don’t seem to listen to the people explaining it and somehow have this fixed perception. Many have been patiently trying to help to explain but you keep coming back to how you use passwords. Which is fine, you can keep using them if you prefer that and the sites support they. No problem at all.
Me I’d happily switch to a more secure mechanism and prefer to manage my own keys.